Bug 2493411 (CVE-2026-14164) - CVE-2026-14164 libarchive: Double-Free Vulnerability in RAR5 Decompression Logic via dangling filtered_buf pointer in init_unpack()
Summary: CVE-2026-14164 libarchive: Double-Free Vulnerability in RAR5 Decompression Lo...
Keywords:
Status: NEW
Alias: CVE-2026-14164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494761 2494762 2494763
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-26 13:02 UTC by OSIDB Bzimport
Modified: 2026-06-30 06:58 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-26 13:02:01 UTC
A double-free vulnerability exists in the libarchive RAR5 reader subsystem within archive_read_support_format_rar5.c where the state tracking pointer rar->cstate.filtered_buf can be linked to a temporary filter output block during archive decompression. When the unpacking engine subsequently processes an adjacent file or resets its internal state layout via init_unpack(), it releases the allocation mapped to filtered_buf but fails to clear or nullify the underlying pointer variable. A specially crafted RAR5 archive can exploit this lingering dangling pointer by forcing a secondary release operation on the exact same memory address, triggering a standard memory-manager abort that immediately crashes the application and results in a Denial of Service (DoS).


Note You need to log in before you can comment on or make changes to this bug.